| |||||||||||||
Effects much worse for other distributions than expectedEffects much worse for other distributions than expectedPosted May 15, 2008 15:45 UTC (Thu) by rfunk (subscriber, #4054)In reply to: Effects much worse for other distributions than expected by nix Parent article: Debian vulnerability has widespread effects
I think you're backwards. Or maybe I am. Referring to two servers rather than a server and a client makes this more confusing; in any ssh connection, one side is acting as a server and the other side is acting as a client, no matter what other purpose the two machines have. When using public-key authentication, the ssh server knows the public half of the key, and the ssh client knows the private half of key (and also the public half). If the key is vulnerable, then any client given a bunch of tries can guess the private half of the key.
(Log in to post comments)
Effects much worse for other distributions than expected Posted May 15, 2008 19:19 UTC (Thu) by nix (subscriber, #2304) [Link] Er, yeah, sorry, bad phrasing. If the client (from whom you're connecting, which has the secret key) is not vulnerable, and the server (to which you're connecting, and which has the public key) is vulnerable, you are safe: otherwise, you are not.
Effects much worse for other distributions than expected Posted May 15, 2008 20:24 UTC (Thu) by rfunk (subscriber, #4054) [Link] Actually I wouldn't say you're entirely safe if the server is vulnerable and you're not. There's still the issue of the host key, which is used to prevent the bad guys from pretending to be the server. If that host key is compromised, then someone can pretend to be the server. Then you're in a little trouble if they can also get your public key (it's treated as public, shouldn't be horribly hard), and more trouble if you're using password authentication.
|
|||||||||||||